nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: using "reserved" IPv6 space

From: Owen DeLong <owen () delong com>
Date: Mon, 16 Jul 2012 08:43:00 -0700

On Jul 16, 2012, at 8:11 AM, -Hammer- wrote:


There are multiple issues here. I understand most folks on these threads are beyond me but I'm pretty sure I'm not 
the only person in this position.

1) (This one is currently a personal issue) I am still building up a true IPv6 skillset. Yes, I understand it for the 
most part but now is the time to apply it.


Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is to start applying what you don't know and see 
what happens. For the most part, you will find that it is truly "96 more bits, no magic".


2) All the reading you do doesn't prepare you for application and the vendors aren't necessarily helping. Feature 
parity across platforms and vendors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::babe:1" seems to 
seriously be lacking. When I try to take what I understand and apply it beyond the basics I often see hurdles.  
Example? HSRP IPv6 global addressing on Cisco ASR platform. If it's working for you hit me offline. Example2? Any 
vendor product beyond a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep 
in IPv6 but not everyone else. I just got an EA this morning from CheckPoint for NAT66. This should have been ready 
for prime time years ago. I guess the vendors weren't getting the push from the customers so there was no need to 
make an effort....


You probably meant 2001:db8:b1aa:b1aa::babe:1 ;-) (blah isn't hex and fe80::/10 is link local. 2001:db8::/16 is the 
example prefix)

For the most part, HSRP really isn't even necessary or useful in IPv6 since ND should take care of what HSRP did for 
IPv4.

I believe F5 has rolled out IPv6 in a subset of their products and that you need pretty recent versions to get IPv6 
functionality from them. The ARIN Wiki (http://www.getipv6.info) may be a good source of information on various vendor 
statuses. Contribute what you know/find out there as well, please.

Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary 
evil for IPv4 address conservation. It has no good use in IPv6.


3) When I'm not preoccupied attempting to digest the fundamentals I am well aware of the retooling of the brain that 
is required for this in a network design. Last year I reached out to Team Cymru and attempted to build an IPv6 router 
template to match their IPv4 template. It was a completely different animal. Ironically most of the STIGs and NSA 
reference garbage I used was ten years old but still applied. After going thru all those docs my brain hurt trying to 
orient my ACLs properly and go thru all the different attributes you want to block where and when. Then I spent some 
time trying to work our design schemas for our ARIN space with the WAN design team. What I'm trying to say is that 
Roberts comments are spot on. It is a very different way of thinking on a small scale and a large scale and you can't 
take your IPv4 logic and apply it. I've tried and it's just slowing me down.


Yes and no. If you have been doing IPv4 long enough to remember pre-NAT IPv4, then, you just need to remember some of 
the old ways of IPv4. If you have no recollection of IPv4 without NAT, then, you are correct, it is a huge paradigm 
shift to go back to the way the internet is supposed to have been before we ran out of addresses.

Owen




-Hammer-

"I was a normal American nerd"
-Jack Herer

On 7/15/2012 10:35 PM, Lee wrote:

On 7/14/12, Robert E. Seastrom <rs () seastrom com> wrote:

Actually, that's one of the most insightful meta-points I've seen on
NANOG in a long time.

There is a HUGE difference between IPv4 and IPv6 thinking.  We've all
been living in an austerity regime for so long that we've completely
forgotten how to leave parsimony behind.  Even those of us who worked
at companies that were summarily handed a Class B when we mumbled
something about "internal subnetting" have a really hard time
remembering how to act when we suddenly don't have to answer for every
single host address and can design a network to conserve other things
(like our brain cells).

Suggestions?

I feel like I should be able to do something really nice with an
absurdly large address space.  But lack of imagination or whatever.. I
haven't come up with anything that really appeals to me.

Thanks,
Lee



-Hammer- <bhmccie () gmail com> writes:


<bashes head against wall>

Thank you all. It's not the protocol that hurts. It's rethinking the
culture/philosophy around it.

-Hammer-

On 7/14/12 3:20 PM, "Owen DeLong" <owen () delong com> wrote:


They're a bad thing in IPv6.

The only place for security through obscurity IMHO is a small round
container that sits next to my desk.

Besides, if you don't advertise it, a GUA prefix is just as obscure as a
ULA prefix and provides a larger search space in which one has to hunt
for it... Think /3 instead of /8.

Owen

On Jul 14, 2012, at 1:14 PM, -Hammer- wrote:


Guys,
   The whole purpose of this is that they do NOT need to be global.
Security thru obscurity. It actually has a place in some worlds. Does
that
make sense? Or are such V4-centric approaches a bad thing in v6?

On 7/13/12 8:41 PM, "Brandon Ross" <bross () pobox com> wrote:


On Fri, 13 Jul 2012, Owen DeLong wrote:


On Jul 13, 2012, at 4:24 PM, Randy Bush wrote:


keep life simple.  use global ipv6 space.

randy

Though it is rare, this is one time when I absolutely agree with
Randy.

It's even more rare for me to agree with Randy AND Owen at the same
time.

--
Brandon Ross                                      Yahoo & AIM:
BrandonNRoss
+1-404-635-6667                                                ICQ:
2269442
Schedule a meeting:  https://tungle.me/bross             Skype:
brandonross
Previous By Date Next
Previous By Thread Next

Current thread: